Best Practice: Formatting query output using select()

LogScale has several functions that perform formatting tasks for your query output. While the table() is an option, the select() function is easier to use. 

// Get all user logon events for User SID S-1-5-21-*
#event_simpleName=UserLogon event_platform=Win UserSid="S-1-5-21-*"
// Invoke saved query to enrich UserIsAdmin field
| $ConvertUserIsAdmin()
// Use select to output in tabular format
| select([@timestamp, aid, ClientComputerName, UserName, LogonType, UserIsAdmin_Readable])
An example of formatted query output using select()

Note that this example uses a saved query. To read more about how to create and invoke a saved query, see our kb article Best Practice: Leveraging saved queries as functions.